Cyber-threats increasing for universities under lockdown

Universities around the world are bombarded on a daily basis with information about cyber-crime and threats to their IT infrastructure, almost to the point where it feels like there is little else that needs to be done, except trust in the IT department’s skills and get on with life.

But does this mean that students and academic staff are safe, that their research and partner companies’ data is secure, that payments can be made in a secure way and that the university’s computers, libraries and facilities will continue to function without hiccups?

In a word, ‘No’. Like any other business, universities will never be 100% secure because no one is completely safe when it comes to cyber-security.

This has become particularly apparent during the COVID-19 pandemic and its associated increase in remote working for staff and students alike.

Speaking to a United Kingdom higher education audience recently, the UK’s Jisc deputy chief information security officer, Henry Hughes, pointed out that “half of you are not doing any student training in cyber-security”.

Supporting this statement, he added that a Jisc survey of 22,000 students’ satisfaction at the end of their courses found that 82% felt digital skills were essential to their future careers, but less than half of the group felt they were well prepared for the digital workplace.

This matters because we can all be victims (or at least targets) and cyber-security cannot, and should not, be delegated. While you are busy thinking ‘It’s not going to be me, I’m not important’, that’s when you leave yourself vulnerable.

Increased liability

IT security isn’t a new challenge for universities, but with increased remote working factored in, it is expected that European higher education institutions will become more liable for data breaches, with fines of up to 2% of overall revenue or €10 million (US$11 million), whichever is higher.

The nature of cyber-attacks being experienced by universities at the moment is similar to the threats facing many large organisations with wide-ranging IT systems.

However, one of the greatest challenges at the present time is ‘phishing’, the process whereby criminals fraudulently attempt to steal sensitive information, such as usernames, passwords and credit card details by disguising themselves as a trustworthy contact using e-communication.

Recent examples include:

• A phishing attempt from an external email address was sent to several University of Arizona students, claiming to notify them about a financial award from the Emergency Relief Fund “made possible by the Coronavirus Aid, Relief, and Economic Security Act”.

• Hackers hijacked the cyber-assets of Samsung Canada and the University of Oxford to send phishing emails to Office 365 users, who received seemingly legitimate messages from a trusted source, which included a link to an ‘Office 365 Voicemail’. Once users clicked the link, they were directed to a webpage requesting their Office 365 credentials.

• University of Utah Health patient info was recently breached when criminals accessed patient information, including birthdates and clinical details, after some employees responded unknowingly to phishing schemes sent to their email accounts.

The coronavirus pandemic has made all of us more vulnerable to phishing attacks as staff are often left tired, operating outside of their normal environment, working with technology which can be unfamiliar and communicating with their employers at a distance and in increasingly unusual ways.

One of the big challenges for employers and educators is that, whether operating on-campus or remotely, universities are regarded as open spaces by their very nature. We welcome learners, scholars and partners from around the world with little or no security clearance procedures or risk assessment, particularly when recruiting students and staff.

This environment poses a number of security challenges and highlights the fact that universities should be secure enough to protect their own business activities, as well as the large variety of other stakeholders they are connected to.

Safe and secure software in the ‘internet of things’

Universities should never be seen as the weak link or back door through which cyber-criminals can achieve their goals.

In 2016 the UK government set out plans to commit £1.8 billion (US$2.3 billion) to the UK’s National Cyber Security Strategy, working with organisations from the private sector, public agencies and academia to create a national Cyber Security Centre, a Cyber Innovation Centre and an Institute of Coding.

I was privileged to meet the then chancellor of the exchequer, George Osborne, and be part of discussions which have now led to the opportunity of creating a National Cyber Park in Cheltenham with the National Cyber Innovation Centre at the heart of it.

The University of Gloucestershire is leading discussions with a select group of universities and businesses to discuss the shape and form of this national park. The university is also now one of 17 universities helping its graduates develop skills in writing safe and secure software, as part of the newly set up Institute of Coding.

The way we all work, play and socialise has changed because of this recent phenomenon known as the ‘Internet of Things’. This shorthand describes the online interconnection of computing devices embedded in everyday objects, ranging from phones and fridges through to home thermostats and power stations. Within two years it is estimated that around 26 billion devices will be connected to the internet.

This hyper-connectivity engendered a data tsunami. On average we create 2.5 quintillion bytes of data (that’s one billion, billion bytes) every day. Among other sensitive information this data contains details about our lives, preferences and personalities. The availability of this information in cyber-space, coupled with the augmented artificial intelligence capabilities, is making the challenge of cyber-security ever more complex.

Tips to keeping secure from cyber-crime

Keep the kettle updated: In the past a secured computer with good antivirus software meant everything should be ok. Today, it’s easy to forget to change the default password on a networked CCTV camera, smart kettle, fridge or even TV. However, if these devices haven’t been updated, then an entire organisation could be open to cyber-attack.

Clean the printer: Have you ever thought about what happens to your old printer? At one time you may have scanned or copied a passport or any range of confidential documents on it. When it reaches the end of its life, all of that data is still stored in its memory.

Password with a phrase: How many of us still use a single word for a password and then use this on multiple applications? It takes about two minutes to break this using a brute-force approach. Now, if you use a phrase it can take more than a century of processing power to find the code. Small changes like this can easily move an organisation’s vulnerability from orange to green.

Double check contacts: Hackers are getting very smart. Before you respond to the text from a hotel you’ve booked, double check and call them to ask if they recognise the agent who’s been in touch. Criminals use spear fishing as a favourite technique, meaning they might send an email that looks very genuine, but once you click on that link in the email it downloads malware that can then control your systems.

Make cyber-hygiene a habit: Many staff and students need to get into good ‘cyber-hygiene’ habits. Campus visitors bring laptops and mobile phones with them, while academics frequently connect with organisations from around the world. We need to limit the number of people with administrator privileges and be wary of disgruntled insiders.

Organisations such as GCHQ (Government Communications Headquarters) are very good at keeping things closed. The trick for universities is to remain an ‘open and accessible space for learning’ while at the same time keeping safe.

This is important because, while hackers may not primarily be interested in student or staff data, they definitely want access to partners’ sensitive information and the high processing computing power possessed by universities, which criminals can use to mine crypto-currency.

The ultimate answer to keeping our universities and businesses safe is to take the best precautions possible when it comes to infrastructure and people, and then be prepared to act if things go wrong.

It’s worth keeping in mind that 95% of internal breaches are caused by human error.

Training and education must be continuous as cyber-security is an unremitting process, not a status. It has to be part of a university’s ongoing risk assessment.

The individual is our first line of defence and we all should think of ourselves as human firewalls within our organisations. It is vital to make sure systems are updated regularly and to understand that security is a continuous process. Share good practice – your neighbour could be the weak link so help them – and have a plan for when it all goes wrong.

Professor Kamal Bechkoum is a world-leading cyber-security expert, with an international background in specialist areas including artificial intelligence, leadership and international collaboration. As head of the University of Gloucestershire’s School of Business and Technology, and director of the C11 Cyber Security and Digital Innovation Centre, he recently led a £5 million (US$6.3 million) project to produce highly skilled cyber professionals, working with organisations such as Raytheon, Northrop Grumman, GCHQ, QinetiQ and IRM (Institute of Risk Management).